ASP.NET Core CORS policy cannot be mixed with IdentityServer4 CORS

[Perustaja]

Issue #3780 never got resolved and is valid.

If you try to mix the ASP.NET Core default CORS policy control with IdentityServer4's, IdentityServer4 seems to step over it when used as described in the documentation.

As an example here is my IDP. It has the usual endpoints and then an api for user data. Here is the Startup.cs file as the documentation says to set it up:

The default policy is defined here. The localhost origin is where my Angular client is located.

Upon trying to access the api on my IDP this debug message displays:

Which doesn't seem to make sense. I have debugged a manual service implementation and checked the source code.

It seems like the IdentityServer4 CorsPolicyProvider steps over every other piece of CORS middleware and blocks requests that aren't to the authentication paths. There have been numerous issues surrounding this but I can't seem to get an api request to go through from my client in any way. Based on other issues I've tried:

• Adding a custom ICorsPolicyService service before or after IdentityServer that accepts all requests.
• Adding the line described in this issue

Neither seem to work.

[Perustaja]

Fixed by reading https://docs.identityserver.io/en/latest/topics/add_apis.html

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.